Just to add my perception slightly from the outside - and I'm an A1 web2py fan for life now, I've spent the last year inside it and not a lot else! But would probably take the framework up a few levels if there was a really good set of responses to this. Our app should hopefully start providing financial processing for some high profile orgs and this will be top of the list for them...we picked web2py as the security aspects were better than other frameworks we looked (in our opinion). Some more formal, non gut-feel answers provided by external parties would make the sale (for our future customers and to future developers looking for a framework) a lot easier. We'll do our own work now on this as it's essential, happy to feedback anything useful we come up with.
On Monday, 5 October 2015 17:19:55 UTC+2, mcm wrote: > > +1 > > it would be nice to have a blog for this type of news... > > 2015-10-05 15:27 GMT+02:00 Ian Ryder <i.r...@appichar.com.au <javascript:> > >: > >> Thanks, just running some of their tools against our app - all good so >> far, if there's anything of interest I'll let you know (possibly off forum >> first :)) >> >> >> On Monday, 5 October 2015 12:25:20 UTC+2, Niphlod wrote: >>> >>> here in ***undisclosed company**** web2py survives a >>> https://www.qualys.com/ security scan with no reports whatsoever. >>> >>> On Sunday, October 4, 2015 at 2:47:44 PM UTC+2, Ian Ryder wrote: >>>> >>>> Hi, just looking back over anything about penetration testing and >>>> web2py - does anyone know of any recent (or any at all) testing of web2py? >>>> We're getting close to our first customers on an app we've been developing >>>> the last year so really need to try and pick it to pieces now while we >>>> have >>>> a few months to work on anything we need to. >>>> >>>> Thanks >>>> Ian >>>> >>>> On Tuesday, 10 July 2012 19:42:46 UTC+2, Massimo Di Pierro wrote: >>>>> >>>>> Thank you Dave for the feedback. It would be nice to have the results >>>>> of those tests (Cenznic, Hailstorm, Quails) published somewhere. Once in >>>>> a >>>>> while people ask about this. >>>>> >>>>> Massimo >>>>> >>>>> On Tuesday, 10 July 2012 11:28:39 UTC-5, Dave wrote: >>>>>> >>>>>> Well.... >>>>>> >>>>>> I can't say that I have tested the current trunk version, but last >>>>>> December I ran a pretty exhaustive penetration test against a site >>>>>> developed web2py. The results were very good. No findings above low. >>>>>> The >>>>>> low findings were insignificant. I ran Cenzic Hailstorm, Qualys and one >>>>>> other automated vulnerability test suite (I cant remember which at the >>>>>> moment) against it without issue. >>>>>> >>>>>> Here are some things that can cause issue though... >>>>>> >>>>>> * anywhere you use the XML() method in a view you should make sure >>>>>> you have validation turned on. Even though the framework is resilient >>>>>> and >>>>>> does a good job of sanitizing data in & out, you can still end up in XSS >>>>>> or >>>>>> XSRF trouble with XML(). >>>>>> >>>>>> * redirects can trip up or slow down a lot of vuln scanners. Watch >>>>>> out if you perform your own testing that you're not getting false >>>>>> negatives. >>>>>> >>>>>> I know some people that would take on a more "formal" assessment if >>>>>> there is consensus.... >>>>>> >>>>>> Dave >>>>>> >>>>>> On Monday, July 9, 2012 11:48:39 AM UTC-4, scausten wrote: >>>>>>> >>>>>>> One of the awesome things about web2py is of course the built-in and >>>>>>> well-documented resilience against a range of attack methods, but I was >>>>>>> wondering if anyone has attempted a methodical (white-hat) attack to >>>>>>> probe >>>>>>> any potential weaknesses? >>>>>>> >>>>>>> Just out of interest :) >>>>>>> >>>>>> -- >> Resources: >> - http://web2py.com >> - http://web2py.com/book (Documentation) >> - http://github.com/web2py/web2py (Source code) >> - https://code.google.com/p/web2py/issues/list (Report Issues) >> --- >> You received this message because you are subscribed to the Google Groups >> "web2py-users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to web2py+un...@googlegroups.com <javascript:>. >> For more options, visit https://groups.google.com/d/optout. >> > > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to web2py+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.
